{% extends 'partials/base.html' %}

{% block header %}
  {% include 'partials/base_header.html' %}
{% endblock %}

{% block content %}
  <!-- Page Content -->
  <div id="page-content-wrapper">
    {% include 'partials/navbar.html' %}
    <div class="container-fluid">
      {% if msg %}
        <div class="alert alert-info">
          <h4 class="alert-heading">System Message</h4>
          <p>{{msg}}</p>
        </div>
      {% endif %}
      <h1 class="mt-4">Damn Vulnerable GraphQL Application</h1>
      <hr />
      <h4>Welcome!</h4>
      <p>
        Damn Vulnerable GraphQL Application, or DVGA, is a vulnerable GraphQL implementation. DVGA allows learning how GraphQL can be exploited as well as defended in a safe environment.
      </p>
      <br />
      <h4>Getting Started</h4>
      <p>
        If you aren't yet familiar with GraphQL, see the GraphQL Resources section below. Otherwise, start poking around and find loopholes! There are GraphQL
        Implementation flaws as well as general application vulnerabilities.
      </p>
      <p>You can set a "game mode" in DVGA: A beginner level or expert level by clicking on the top bar menu's cube icon and choosing the level. This is a global setting that will apply to all clients (GUI or CLI)</p>
      <p>If you are interacting with DVGA programmatically, you can also set the game mode by passing the HTTP Request Header <code>X-DVGA-MODE</code> set to either <code>Beginner</code> or <code>Expert</code> as values.</p>
      <p>If the Header is not set, DVGA will default to <u>Beginner mode</u> or to whatever you previously set in the user interface.</p>
      <br />
      <h4>Difficulty Level Explanation</h4>
      <h5>Beginner</h5>
      <p>
        DVGA's Beginner level is literally the default GraphQL implementation without any restrictions, security controls, or other protections. This is what you would get out of the box in most of the GraphQL implementations without hardening, with the addition of other custom vulnerabilities.
      </p>
      <h5>Hard</h5>
      <p>DVGA's Hard level is a hardened GraphQL implementation which contains a few security controls against malicious queries, such as Cost Based Analysis, Query Depth, Field De-dup checks, etc.</p>
      <br />
      <h4>GraphQL Resources</h4>
      <p>
        To learn about GraphQL, and common GraphQL weaknesses and attacks, the following
        resources may be beneficial:
      </p>
      <h5><i class="fa fa-play"></i> &nbsp; Videos</h5>
      <ul>
        <li>
          <a href="https://www.youtube.com/watch?v=ZQL7tL2S0oQ" target="_blank">GraphQL in 40 Minutes</a>
        </li>
        <li>
          <a href="https://www.youtube.com/watch?v=OQCgmftU-Og" target="_blank">Hacking GraphQL For Beginners</a>
        </li>
        <li>
          <a href="https://www.youtube.com/watch?v=NPDp7GHmMa0&t=2580" target="_blank">LevelUp 0x05 - REST in Peace</a>
        </li>
      </ul>

      <h5><i class="fa fa-newspaper"></i> &nbsp; Articles</h5>
      <ul>
        <li>
          <a href="https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html" target="_blank">OWASP GraphQL Defense</a>
        </li>
        <li>
          <a href="https://labs.bishopfox.com/tech-blog/design-considerations-for-secure-graphql-apis" target="_blank">BishopFox Labs - Design Considerations</a>
        </li>
      </ul>
      <br />
      <h4>Got Stuck?</h4>
      <p>
        Head over to the <a href="/solutions">Solutions</a> page to reveal
        the challenge answers.
      </p>
      <br />
      <h4>Bug Reporting</h4>
      <p>
        Found a bug? submit an issue on
        <a href="https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application/issues">GitHub</a>.
      </p>
    </div>
  </div>
  <!-- /#page-content-wrapper -->
{% endblock %}

{% block scripts %}
  {% include 'partials/base_scripts.html' %}
{% endblock %}
